SCPWD - v0.1b This software has only been tested with the Towitoki Chipdrive Micro and the M16 'Password Card' that came with the drive, the backend access to the drive is provided the the PC/SC lite package (c) by David Corcoran which is required for the operation. It can be found at http://www.linuxnet.com (the home of MUSCLE). This SmartCard-PWD "system" is Copyright (c) 2001 lukas schroeder . All rights reserved. Also see the LICENSE file. For instruction on COMPILING and INSTALLING this package read the INSTALL file, please. Contents: the GUI the PAM-Module the DATA format The Password Card GUI ===================== Menu: | -> App: | | | `> Load from File Opens File Selector and shows the stored recordset | `> Save to File Stores the current recordset to file of choice | | | `> Load from Smartcard Retrieve the recordset already stored on the card | `> Save to Smartcard Stores the current recordset to the card | | | `> Quit will destroy your computer | `> Items: | `> Services Add / Remove Services's names `> Logins Add / Remove Loginnames Before you can use a Service or Loginname to create a password entry you have to register the name in the items menu using the disired menu item. Altering any entry is currently not supported. You have to remove and then re-add entries that should be changed. The PAM-Module: pam_smartcard.so ================================ The pam_smartcard module expects the password strings stored on the smartcard to be in encrypted (strcmp()'arable form), which for instance means that you'll have to cut'n'paste the password field of your /etc/shadow-entry into the password field of the GUI for the module to work. My pam configuration to test the pam module: auth sufficient /lib/security/pam_smartcard.so auth required /lib/security/pam_unix.so This means that the authentication is against pam_smartcard IF the drive AND and the card are accessible AND the card can SUCCESSFULLY authenticate you for the requested username. If this fails, you can still login using the default Unix authentication. Consult the PAM-Documentation before doing ANY changes to your PAM configuration !!!!! The DATA Format ========== Information is divided into 3 parts: - topic (service) - key (login) - value (password) Values are stored for each record, while topics and keys are enumerated and referenced in the entry by their index. An index of -1 (0xff) indicates that a topic or key wasn't set for an entry. A collection is introduced by the 3byte magic-number 'PWD' and followed by 2 bytes (high, low) storing the number of bytes to follow. Now the list of topics begins. Topics are separated from each other by NUL's (\000) and the topic list itself is terminated by \001. When reading in the topics the enumeration starts at 0 and is used later for connecting services and keys to certain values. After the list of topics the keys listing follows in the same manner (keys separated by \000, list terminated by \001). Right after the keylist-\001 the list of values is stored. Each value is prefixed by 2 two byte values indicating the service and key associated to that value. The first 2 bytes reference the service whereas the second 2 bytes point into the keys list. Yet again, each value is separated by NUL's and the list is once again terminated by a \001. The number of services and keys is limited to 255. The maximum length of the whole recordset is 64kb. An Example: (\001 is only 1 byte, of course) PWD\000\027\001lukas\000\001ff00aaaaaaaaaaaaa\000\001 This translates into: Topic (Services): [ none! ] Keys (Logins): Index Value 00 lukas Values (Passwords) Index Topic Key Value 00 -1 00 -> lukas aaaaaaaaaaaaa